Malware Analysis Report

2024-11-16 10:45

Sample ID 240603-lxnlzaaf6y
Target 915a10efac3282f4354b15e1cc4de266_JaffaCakes118
SHA256 eb9a2183d9856fb03d824924f8ec2d263dc3d110f247466d7d60964e0f4abea3
Tags
upx discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb9a2183d9856fb03d824924f8ec2d263dc3d110f247466d7d60964e0f4abea3

Threat Level: Known bad

The file 915a10efac3282f4354b15e1cc4de266_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx discovery evasion trojan

UAC bypass

UPX packed file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 09:54

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 09:54

Reported

2024-06-03 09:57

Platform

win7-20240419-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\progra~1\remotehelp36\HDVNCRun.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\progra~1\remotehelp36\icon2.ico C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\splash.jpg C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\helpdesk.txt \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\HDVNCRun.ini \??\c:\progra~1\remotehelp36\hdvncrun.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\sound.wav C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\HDVNCRun.ini C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\MSRC4Plugin.dsm C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\HDVNCRun.exe C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\helpdesk.txt \??\c:\progra~1\remotehelp36\winvnc.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\icon1.ico C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\sound.wav C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\rc4.key C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\MSRC4Plugin.dsm C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\cad.exe C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\rc4.key C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\icon1.ico C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\HDVNCRun.ini C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\cad.exe C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\winvnc.exe C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\LAP Splash Logo.jpg C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\HDVNCRun.exe C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\winvnc.exe C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\splash.jpg C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\icon2.ico C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\LAP Splash Logo.jpg C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A
Token: SeTcbPrivilege N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 1148 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 1148 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 1148 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 1148 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 1148 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 1148 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 2716 wrote to memory of 2276 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 2716 wrote to memory of 2276 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 2716 wrote to memory of 2276 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 2716 wrote to memory of 2276 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 2716 wrote to memory of 2276 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 2716 wrote to memory of 2276 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 2716 wrote to memory of 2276 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 2276 wrote to memory of 2564 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe C:\progra~1\remotehelp36\HDVNCRun.exe
PID 2276 wrote to memory of 2564 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe C:\progra~1\remotehelp36\HDVNCRun.exe
PID 2276 wrote to memory of 2564 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe C:\progra~1\remotehelp36\HDVNCRun.exe
PID 2276 wrote to memory of 2564 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe C:\progra~1\remotehelp36\HDVNCRun.exe
PID 2276 wrote to memory of 2564 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe C:\progra~1\remotehelp36\HDVNCRun.exe
PID 2276 wrote to memory of 2564 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe C:\progra~1\remotehelp36\HDVNCRun.exe
PID 2276 wrote to memory of 2564 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe C:\progra~1\remotehelp36\HDVNCRun.exe
PID 2564 wrote to memory of 2708 N/A C:\progra~1\remotehelp36\HDVNCRun.exe C:\Windows\SysWOW64\net.exe
PID 2564 wrote to memory of 2708 N/A C:\progra~1\remotehelp36\HDVNCRun.exe C:\Windows\SysWOW64\net.exe
PID 2564 wrote to memory of 2708 N/A C:\progra~1\remotehelp36\HDVNCRun.exe C:\Windows\SysWOW64\net.exe
PID 2564 wrote to memory of 2708 N/A C:\progra~1\remotehelp36\HDVNCRun.exe C:\Windows\SysWOW64\net.exe
PID 2564 wrote to memory of 2708 N/A C:\progra~1\remotehelp36\HDVNCRun.exe C:\Windows\SysWOW64\net.exe
PID 2564 wrote to memory of 2708 N/A C:\progra~1\remotehelp36\HDVNCRun.exe C:\Windows\SysWOW64\net.exe
PID 2564 wrote to memory of 2708 N/A C:\progra~1\remotehelp36\HDVNCRun.exe C:\Windows\SysWOW64\net.exe
PID 2708 wrote to memory of 2592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2708 wrote to memory of 2592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2708 wrote to memory of 2592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2708 wrote to memory of 2592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2708 wrote to memory of 2592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2708 wrote to memory of 2592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2708 wrote to memory of 2592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2536 wrote to memory of 2704 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\hdvncrun.exe
PID 2536 wrote to memory of 2704 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\hdvncrun.exe
PID 2536 wrote to memory of 2704 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\hdvncrun.exe
PID 2536 wrote to memory of 2704 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\hdvncrun.exe
PID 2536 wrote to memory of 3044 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\winvnc.exe
PID 2536 wrote to memory of 3044 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\winvnc.exe
PID 2536 wrote to memory of 3044 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\winvnc.exe
PID 2536 wrote to memory of 3044 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\winvnc.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\BackupConsentPromptBehaviorAdmin = "5" C:\progra~1\remotehelp36\HDVNCRun.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\progra~1\remotehelp36\HDVNCRun.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe

"C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe"

\??\c:\progra~1\remotehelp36\HDVNCRun.exe

.\HDVNCRun.exe /install

\??\c:\progra~1\remotehelp36\HDVNCRun.exe

c:\progra~1\remotehelp36\HDVNCRun.exe -installserviceadmin

C:\progra~1\remotehelp36\HDVNCRun.exe

"C:\progra~1\remotehelp36\HDVNCRun.exe" /installservice

C:\Windows\SysWOW64\net.exe

net start HelpDeskVNCV3

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start HelpDeskVNCV3

\??\c:\progra~1\remotehelp36\HDVNCRun.exe

c:\progra~1\remotehelp36\HDVNCRun.exe /service

\??\c:\progra~1\remotehelp36\hdvncrun.exe

c:\progra~1\remotehelp36\hdvncrun.exe /toolbar

\??\c:\progra~1\remotehelp36\winvnc.exe

c:\progra~1\remotehelp36\winvnc.exe

Network

Country Destination Domain Proto
US 70.168.189.148:4204 tcp
US 70.168.189.148:4204 tcp
US 70.168.189.148:4204 tcp

Files

memory/1148-0-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1148-1-0x0000000000020000-0x0000000000040000-memory.dmp

memory/1148-2-0x0000000000020000-0x0000000000040000-memory.dmp

\PROGRA~1\remotehelp36\HDVNCRun.exe

MD5 a49d3685a323922340adb4a66b80e9fe
SHA1 4e40d15b24dbc6bcdf13e15227d332ad6499da6e
SHA256 a54d7e8317d2fa4406eec4540b8fe62b4c3d8e8374eb91c17866e68dad4e5a72
SHA512 1f3c00b8d89c643b0f315015af2d5826338a18d0f81af488725cb130c2d25ddf3ffa6e6e29ecac0f9cc7c32ecc28f5e05ed20938b8376d7f1b22b2a3f6b92dc8

\??\c:\progra~1\remotehelp36\HDVNCRun.ini

MD5 1858b8cdd098ab3569a229b5348c5965
SHA1 4833d6dc35c6dd5c5c187376c249cbfa1aa4d500
SHA256 ec79e4e7e8d5ccab110dc9c185d390ffae402e2623a8cece949db289fb5e52d9
SHA512 e4c956035bdfaea8fbb3dc83c9f8de57d9d7834f7fe2bcb7c9f5b221322ffbfea0c6831098900bc8b5e78435cd694766bc7eff28d0e6cc88a3c806d002133028

\??\c:\progra~1\remotehelp36\splash.jpg

MD5 c20e209a10c71223675f34dc0a8efcad
SHA1 da46bed3290ccd07afcf66bdb35d67d3903d94a9
SHA256 a6d16083c4e921e769cd40aa8d6f9700a04374c1c6f95b288834709c368baa4d
SHA512 80263b6ed5003d085b9ad13d5fadc339646ca8d1cda621e7a030c5a9a4665dc61fe7006fe3a5fb8a21b0cc61c713c808264da32b1852a02204a083f054520073

memory/1148-52-0x0000000000400000-0x0000000000420000-memory.dmp

\??\c:\progra~1\remotehelp36\winvnc.exe

MD5 3bee39a195f797edebdfef6b31f9aa95
SHA1 4367fc1d8e0db7c1136f0bb89614ac92785ff498
SHA256 587d1afbb8f97894f38b37ea4af66fc754ca5753c2183e2cb058b9e698c9b044
SHA512 9541e88f112d9cf247b6552c6685fbbcf808576c77d707356292481e1aaa7758636935a7f8463681b486b021d97f35dd0e82487bd07f7819c414b23814a04cf6

\??\c:\progra~1\remotehelp36\helpdesk.txt

MD5 e19bc43022e9f28996e2c761d48cfc33
SHA1 6e487331d7eac438923a9f0c3a1f19ed87fd37f1
SHA256 163dc5756526a2ed5789b21e465b9a55da7e2bd75bd91e6f3e703b929644501e
SHA512 352fbe1d094049154e52afd71aaac9852ff95e0b0aa070b74afa2cfaba9a104e41f5c4c0ea61e07b14ccad86bcb45db3520c2239dea9479f126cd70ced75e61e

\??\c:\progra~1\remotehelp36\icon2.ico

MD5 d0cf267f77f42f79d01fc3cdfc6c5d9e
SHA1 f2af030713d7dc038e17f36576b85b6cbcd7570d
SHA256 975a1bd2e5700a105a5d4b05b7bebb1debd4c8eb4e67dd1f31f111787313b1f4
SHA512 a2570f0a7c988b63f39c41c8d297a48ba4d5b9f9ac546146834dc4cb20ba1c57a5b66a67fc1f7a7a1f7405c3661469b219a11d29bb01ba89fc1941c80ae956f9

\??\c:\progra~1\remotehelp36\icon1.ico

MD5 f2f28a9b65771f4ff31d7f84f5bcd9d7
SHA1 812617914a36b53bb4a0e3c1db0ce8881b38252b
SHA256 820dba2bc962d32288239e0e834637381d89c20460f8a9f299f277bd8c8d00c6
SHA512 c590d0f8ff29075cd958ef95c0b38924573cb99735e5e9726bcf8f7b650534e9db6ff31448d781d0120685974fb2f3179cf9b328b3497b1e2f4c91cc836fd590

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 09:54

Reported

2024-06-03 09:57

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\progra~1\remotehelp36\LAP Splash Logo.jpg C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\icon2.ico C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\icon2.ico C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\HDVNCRun.ini \??\c:\progra~1\remotehelp36\hdvncrun.exe N/A
File created \??\c:\progra~1\remotehelp36\icon1.ico C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\splash.jpg C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\winvnc.exe C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\LAP Splash Logo.jpg C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\splash.jpg C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\helpdesk.txt \??\c:\progra~1\remotehelp36\winvnc.exe N/A
File created \??\c:\progra~1\remotehelp36\HDVNCRun.ini C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\HDVNCRun.ini C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\MSRC4Plugin.dsm C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\cad.exe C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\HDVNCRun.exe C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\sound.wav C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\icon1.ico C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\rc4.key C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\helpdesk.txt \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\rc4.key C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\HDVNCRun.exe C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\winvnc.exe C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\sound.wav C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File created \??\c:\progra~1\remotehelp36\MSRC4Plugin.dsm C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A
File opened for modification \??\c:\progra~1\remotehelp36\cad.exe C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A
Token: SeTcbPrivilege N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A
N/A N/A \??\c:\progra~1\remotehelp36\winvnc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3812 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 3812 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 3812 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 224 wrote to memory of 1032 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 224 wrote to memory of 1032 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 224 wrote to memory of 1032 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\HDVNCRun.exe
PID 1032 wrote to memory of 2988 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe C:\progra~1\remotehelp36\HDVNCRun.exe
PID 1032 wrote to memory of 2988 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe C:\progra~1\remotehelp36\HDVNCRun.exe
PID 1032 wrote to memory of 2988 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe C:\progra~1\remotehelp36\HDVNCRun.exe
PID 2988 wrote to memory of 4480 N/A C:\progra~1\remotehelp36\HDVNCRun.exe C:\Windows\SysWOW64\net.exe
PID 2988 wrote to memory of 4480 N/A C:\progra~1\remotehelp36\HDVNCRun.exe C:\Windows\SysWOW64\net.exe
PID 2988 wrote to memory of 4480 N/A C:\progra~1\remotehelp36\HDVNCRun.exe C:\Windows\SysWOW64\net.exe
PID 4480 wrote to memory of 1360 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4480 wrote to memory of 1360 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4480 wrote to memory of 1360 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5012 wrote to memory of 4984 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\hdvncrun.exe
PID 5012 wrote to memory of 4984 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\hdvncrun.exe
PID 5012 wrote to memory of 4984 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\hdvncrun.exe
PID 5012 wrote to memory of 1480 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\winvnc.exe
PID 5012 wrote to memory of 1480 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\winvnc.exe
PID 5012 wrote to memory of 1480 N/A \??\c:\progra~1\remotehelp36\HDVNCRun.exe \??\c:\progra~1\remotehelp36\winvnc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe

"C:\Users\Admin\AppData\Local\Temp\Technician-2-Cliff.exe"

\??\c:\progra~1\remotehelp36\HDVNCRun.exe

.\HDVNCRun.exe /install

\??\c:\progra~1\remotehelp36\HDVNCRun.exe

c:\progra~1\remotehelp36\HDVNCRun.exe -installserviceadmin

C:\progra~1\remotehelp36\HDVNCRun.exe

"C:\progra~1\remotehelp36\HDVNCRun.exe" /installservice

C:\Windows\SysWOW64\net.exe

net start HelpDeskVNCV3

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start HelpDeskVNCV3

\??\c:\progra~1\remotehelp36\HDVNCRun.exe

c:\progra~1\remotehelp36\HDVNCRun.exe /service

\??\c:\progra~1\remotehelp36\hdvncrun.exe

c:\progra~1\remotehelp36\hdvncrun.exe /toolbar

\??\c:\progra~1\remotehelp36\winvnc.exe

c:\progra~1\remotehelp36\winvnc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 70.168.189.148:4204 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 70.168.189.148:4204 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 70.168.189.148:4204 tcp

Files

memory/3812-0-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Program Files\remotehelp36\HDVNCRun.exe

MD5 a49d3685a323922340adb4a66b80e9fe
SHA1 4e40d15b24dbc6bcdf13e15227d332ad6499da6e
SHA256 a54d7e8317d2fa4406eec4540b8fe62b4c3d8e8374eb91c17866e68dad4e5a72
SHA512 1f3c00b8d89c643b0f315015af2d5826338a18d0f81af488725cb130c2d25ddf3ffa6e6e29ecac0f9cc7c32ecc28f5e05ed20938b8376d7f1b22b2a3f6b92dc8

\??\c:\progra~1\remotehelp36\HDVNCRun.ini

MD5 1858b8cdd098ab3569a229b5348c5965
SHA1 4833d6dc35c6dd5c5c187376c249cbfa1aa4d500
SHA256 ec79e4e7e8d5ccab110dc9c185d390ffae402e2623a8cece949db289fb5e52d9
SHA512 e4c956035bdfaea8fbb3dc83c9f8de57d9d7834f7fe2bcb7c9f5b221322ffbfea0c6831098900bc8b5e78435cd694766bc7eff28d0e6cc88a3c806d002133028

\??\c:\progra~1\remotehelp36\splash.jpg

MD5 c20e209a10c71223675f34dc0a8efcad
SHA1 da46bed3290ccd07afcf66bdb35d67d3903d94a9
SHA256 a6d16083c4e921e769cd40aa8d6f9700a04374c1c6f95b288834709c368baa4d
SHA512 80263b6ed5003d085b9ad13d5fadc339646ca8d1cda621e7a030c5a9a4665dc61fe7006fe3a5fb8a21b0cc61c713c808264da32b1852a02204a083f054520073

memory/3812-32-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Program Files\remotehelp36\winvnc.exe

MD5 3bee39a195f797edebdfef6b31f9aa95
SHA1 4367fc1d8e0db7c1136f0bb89614ac92785ff498
SHA256 587d1afbb8f97894f38b37ea4af66fc754ca5753c2183e2cb058b9e698c9b044
SHA512 9541e88f112d9cf247b6552c6685fbbcf808576c77d707356292481e1aaa7758636935a7f8463681b486b021d97f35dd0e82487bd07f7819c414b23814a04cf6

\??\c:\progra~1\remotehelp36\helpdesk.txt

MD5 e19bc43022e9f28996e2c761d48cfc33
SHA1 6e487331d7eac438923a9f0c3a1f19ed87fd37f1
SHA256 163dc5756526a2ed5789b21e465b9a55da7e2bd75bd91e6f3e703b929644501e
SHA512 352fbe1d094049154e52afd71aaac9852ff95e0b0aa070b74afa2cfaba9a104e41f5c4c0ea61e07b14ccad86bcb45db3520c2239dea9479f126cd70ced75e61e

\??\c:\progra~1\remotehelp36\icon2.ico

MD5 d0cf267f77f42f79d01fc3cdfc6c5d9e
SHA1 f2af030713d7dc038e17f36576b85b6cbcd7570d
SHA256 975a1bd2e5700a105a5d4b05b7bebb1debd4c8eb4e67dd1f31f111787313b1f4
SHA512 a2570f0a7c988b63f39c41c8d297a48ba4d5b9f9ac546146834dc4cb20ba1c57a5b66a67fc1f7a7a1f7405c3661469b219a11d29bb01ba89fc1941c80ae956f9

\??\c:\progra~1\remotehelp36\icon1.ico

MD5 f2f28a9b65771f4ff31d7f84f5bcd9d7
SHA1 812617914a36b53bb4a0e3c1db0ce8881b38252b
SHA256 820dba2bc962d32288239e0e834637381d89c20460f8a9f299f277bd8c8d00c6
SHA512 c590d0f8ff29075cd958ef95c0b38924573cb99735e5e9726bcf8f7b650534e9db6ff31448d781d0120685974fb2f3179cf9b328b3497b1e2f4c91cc836fd590